GDPR Solution Center

Time Until GDPR Enforcement

000

DAYS

:

00

HOURS

:

00

MINUTES

:

00

SECONDS

An Action Plan for GDPR Compliance

With less than a year left until the May 2018 deadline for compliance with the General Data Protection Regulation (GDPR), security, compliance, and business leaders are looking for smart strategies to prepare their organizations and reduce their exposure to GDPR sanctions. The GDPR’s mandate that businesses protect personal data regardless of its location puts significant pressure on enterprises that rely on SaaS applications and other cloud-based services. For a single organization, there may be dozens of cloud applications, hundreds of data types and thousands of customers and employees.

The following GDPR requirements have particular relevance to organizations that use SaaS or other cloud services:

Privacy protection by design and by default – build in privacy protection during the development of business processes and maintaining it throughout the data lifecycle.

Pseudonymization – a process for substituting identifiable data with other randomized or encrypted data that cannot be deciphered without access to a separate key or secret.

Breach notification – The GDPR mandates that authorities must be notified of a data breach within 72 hours if breached data is readable by unauthorized individuals.

Right to be erased / forgotten – Many SaaS providers maintain customer data indefinitely, even after an organization discontinues services. Organizations need to ensure its removal.

Register for the Webinar

Experts Weigh In

"Achieving GDPR compliance is not something the IT department can do alone.

Failure to adequately prepare will push firms into a compliance quagmire once May 2018 arrives."

Michael Osterman
President, Osterman Research

"Time is of the essence and the eye-popping potential fines require that GDPR compliance becomes a priority. Executives need to understand the organization’s status, risks, and potential consequences."

While the GDPR harmonizes data protection laws across Europe, local EU data protection authorities are offering inconsistent opinions on enforcement, creating a lot of uncertainty for multi-national companies."

Gerard Stegmaier
Partner, ReedSmith

"Any business with data in the cloud needs to take adequate precautions and controls.

Customer-controlled encryption provides persistent control and helps you meet a wide range of regulations including the GDPR."

Fazal Sadikali
Director, Cloud First, Accenture

"Any business with data in the cloud needs to take adequate precautions and controls.

"If someone else is processing your data the risks of GDPR exposure are huge. Even if it’s encrypted at rest, when it’s processed it gets decrypted and can be accessible in many forms - in memory, logs, cached, temporary storage, or search results."

Paul Simmonds
Security Consultant, Global Identity Foundation

"The vast majority of companies will get breached at some point.

The real question is what have you done to protect your data both on-premises or in the cloud so a breach doesn’t become a GDPR violation."

Bob West
Managing Director, Risk Services, CareWorksTech

Your 12 Month Roadmap to GDPR Compliance

With only a year remaining, these recommendations are organized in quarterly, and monthly steps to make sure you’re covered. While you may not address these steps in this exact order, your will need to address them all before May 25, 2018.

Know Your Cloud Footprint

Analyze sanctioned & unsanctioned usage

Discover where sensitive data is going

Define data usage policies

Understand Your Sensitive Data

Known field-level data (structured)

Unknown files, notes (unstructured)

Data sovereignty requirements

Apply Data Protection Policies

Encryption & key management

Tokenization / data residency

Mobile data protection

Enforce Access Controls & Compliance

Eliminate sensitive data exposure to outsiders

Enforce who, what, where, how policies

Monitor users, data, activity & anomalies

CipherCloud Solution for GDPR Compliance

To navigate the complexities of GDPR compliance, most organizations will want to work with a solution provider that has expertise in compliance and data protection for cloud environments.

CipherCloud has deep expertise in data protection and compliance for industries that depend on SaaS and other cloud-based services to conduct mission-critical business. Its data-centric protection model uses encryption, tokenization, and mobile data protection to pseudonymize data before it enters the cloud and then persistently protect it in its journey through the extended cloud ecosystem.

For more information on how CipherCloud can help your organization prepare for GDPR compliance, please contact us.

FAQs

What is the GDPR?

The General Data Protection Regulation (GDPR) is a regulation intended strengthen and unify data protection for all individuals within the European Union (EU). Unlike previous EU Data Privacy Directives, which required each EU country to enact its own data protection laws, the GDPR is legally binding throughout the EU.

When does the GDPR go into effect?

The GDPR was adopted on April 27, 2016 with a two-year window before enforcement begins on May 25, 2018.

Who is affected?

The EU protects the data of any EU citizen regardless of where that data resides globally.

Does this apply to businesses outside of Europe?

Yes – the GDPR claims extraterritoriality. If your business offers your goods or services to any EU residents, then you must comply with GDPR.

What type of personal information is covered?

The GDPR defines personal data broadly including any information relating to an individual’s private, professional, or public life, including name, home address, photos, email address, bank details, posts on social networking websites, ethnic or religious identity, sexual orientation, medical information, or a computer’s IP address.

What are the penalties for non-compliance?

If you do not comply with the GDPR you may be fined up to €20 million or 4% of your worldwide revenue, whichever is greater. You may also be subject to lawsuits by affected data subjects.

Who will enforce the GDPR?

The GDPR requires that each EU member state establish an independent Supervisory Authority (SA) to hear and investigate complaints, sanction administrative offenses, etc. Where a business has multiple establishments in the EU, it will have a single SA as its "lead authority", based on the location of its "main establishment".

Who are Data Controllers and Data Processors?

Data Controllers refer to a person or organization that has collected personal information for legitimate business reasons. Data Processors refer to entities that process data on behalf of the controller

Who is responsible for protecting personal data?

Data Controllers are always responsible and liable for protecting the personal information that they control. It is the responsibility and liability of the data controller to implement effective measures and be able to demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller

What is pseudonymization?

The GDPR refers to pseudonymisation as a process that transforms personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. An example of pseudonymisation is encryption, which renders the original data unintelligible and the process cannot be reversed without access to the right decryption key. The GDPR requires that this additional information (such as the decryption key) be kept separately from the pseudonymised data.

Does the GDPR recommend encryption?

While the GDPR does not require specific technologies, it does include encryption as a best practice for its principles of Privacy by Design and Privacy by Default. However, it also recognizes that encryption, like other pseudonymization techniques is only effective if the secret encryption keys are kept separately from the protected data.

Does the GDPR specify who should encrypt data?

The GDPR strongly recommends that data protection techniques, such as encryption should be carried out by the Data Controller, and applied "as soon as possible". This means that customer-controller data protection techniques are preferable to ones applied by third-parties, such as cloud providers.